diff --git a/java/ql/lib/semmle/code/java/security/SensitiveLoggingQuery.qll b/java/ql/lib/semmle/code/java/security/SensitiveLoggingQuery.qll index 1956360e120..93b6fc60816 100644 --- a/java/ql/lib/semmle/code/java/security/SensitiveLoggingQuery.qll +++ b/java/ql/lib/semmle/code/java/security/SensitiveLoggingQuery.qll @@ -25,8 +25,12 @@ private class TypeType extends RefType { } } -/** A data-flow configuration for identifying potentially-sensitive data flowing to a log output. */ -class SensitiveLoggerConfiguration extends TaintTracking::Configuration { +/** + * DEPRECATED: Use `SensitiveLoggerConfiguration` module instead. + * + * A data-flow configuration for identifying potentially-sensitive data flowing to a log output. + */ +deprecated class SensitiveLoggerConfiguration extends TaintTracking::Configuration { SensitiveLoggerConfiguration() { this = "SensitiveLoggerConfiguration" } override predicate isSource(DataFlow::Node source) { source.asExpr() instanceof CredentialExpr } @@ -43,3 +47,22 @@ class SensitiveLoggerConfiguration extends TaintTracking::Configuration { override predicate isSanitizerIn(Node node) { this.isSource(node) } } + +/** A data-flow configuration for identifying potentially-sensitive data flowing to a log output. */ +module SensitiveLoggerConfiguration implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { source.asExpr() instanceof CredentialExpr } + + predicate isSink(DataFlow::Node sink) { sinkNode(sink, "logging") } + + predicate isBarrier(DataFlow::Node sanitizer) { + sanitizer.asExpr() instanceof LiveLiteral or + sanitizer.getType() instanceof PrimitiveType or + sanitizer.getType() instanceof BoxedType or + sanitizer.getType() instanceof NumberType or + sanitizer.getType() instanceof TypeType + } + + predicate isBarrierIn(Node node) { isSource(node) } +} + +module SensitiveLoggerFlow = TaintTracking::Make; diff --git a/java/ql/src/Security/CWE/CWE-532/SensitiveInfoLog.ql b/java/ql/src/Security/CWE/CWE-532/SensitiveInfoLog.ql index 6f32b9768cb..a884ba6c242 100644 --- a/java/ql/src/Security/CWE/CWE-532/SensitiveInfoLog.ql +++ b/java/ql/src/Security/CWE/CWE-532/SensitiveInfoLog.ql @@ -13,9 +13,9 @@ import java import semmle.code.java.security.SensitiveLoggingQuery -import PathGraph +import SensitiveLoggerFlow::PathGraph -from SensitiveLoggerConfiguration cfg, DataFlow::PathNode source, DataFlow::PathNode sink -where cfg.hasFlowPath(source, sink) +from SensitiveLoggerFlow::PathNode source, SensitiveLoggerFlow::PathNode sink +where SensitiveLoggerFlow::hasFlowPath(source, sink) select sink.getNode(), source, sink, "This $@ is written to a log file.", source.getNode(), "potentially sensitive information"